Tor

Tor is an encrypted anonymising network that makes it harder to intercept internet communications, or see where communications are coming from or going to.

In order to use the WikiLeaks public submission system as detailed above you can download the Tor Browser Bundle, which is a Firefox-like browser available for Windows, Mac OS X and GNU/Linux and pre-configured to connect using the anonymising system Tor.

Tails

If you are at high risk and you have the capacity to do so, you can also access the submission system through a secure operating system called Tails. Tails is an operating system launched from a USB stick or a DVD that aim to leaves no traces when the computer is shut down after use and automatically routes your internet traffic through Tor. Tails will require you to have either a USB stick or a DVD at least 4GB big and a laptop or desktop computer.

Tips

Our submission system works hard to preserve your anonymity, but we recommend you also take some of your own precautions. Please review these basic guidelines.

1. Contact us if you have specific problems

If you have a very large submission, or a submission with a complex format, or are a high-risk source, please contact us. In our experience it is always possible to find a custom solution for even the most seemingly difficult situations.

2. What computer to use

If the computer you are uploading from could subsequently be audited in an investigation, consider using a computer that is not easily tied to you. Technical users can also use Tails to help ensure you do not leave any records of your submission on the computer.

3. Do not talk about your submission to others

If you have any issues talk to WikiLeaks. We are the global experts in source protection – it is a complex field. Even those who mean well often do not have the experience or expertise to advise properly. This includes other media organisations.

After

1. Do not talk about your submission to others

If you have any issues talk to WikiLeaks. We are the global experts in source protection – it is a complex field. Even those who mean well often do not have the experience or expertise to advise properly. This includes other media organisations.

2. Act normal

If you are a high-risk source, avoid saying anything or doing anything after submitting which might promote suspicion. In particular, you should try to stick to your normal routine and behaviour.

3. Remove traces of your submission

If you are a high-risk source and the computer you prepared your submission on, or uploaded it from, could subsequently be audited in an investigation, we recommend that you format and dispose of the computer hard drive and any other storage media you used.

In particular, hard drives retain data after formatting which may be visible to a digital forensics team and flash media (USB sticks, memory cards and SSD drives) retain data even after a secure erasure. If you used flash media to store sensitive data, it is important to destroy the media.

If you do this and are a high-risk source you should make sure there are no traces of the clean-up, since such traces themselves may draw suspicion.

4. If you face legal action

If a legal action is brought against you as a result of your submission, there are organisations that may help you. The Courage Foundation is an international organisation dedicated to the protection of journalistic sources. You can find more details at https://www.couragefound.org.

Submit documents to WikiLeaks

WikiLeaks publishes documents of political or historical importance that are censored or otherwise suppressed. We specialise in strategic global publishing and large archives.

The following is the address of our secure site where you can anonymously upload your documents to WikiLeaks editors. You can only access this submissions system through Tor. (See our Tor tab for more information.) We also advise you to read our tips for sources before submitting.

wlupld3ptjvsgwqw.onion

Copy this address into your Tor browser. Advanced users, if they wish, can also add a further layer of encryption to their submission using our public PGP key.

If you cannot use Tor, or your submission is very large, or you have specific requirements, WikiLeaks provides several alternative methods. Contact us to discuss how to proceed.

Vault 7: CIA Hacking Tools Revealed

Earl Grey Testing

CONOP:

Using two Flux nodes between ICON and the target for obfuscation; establish install path from admin host in target network coming from telnet port 23. Once installed, SNMPSimple Network Management Protocol trigger will come through the admin box as well and the target ASRAzure Site Recovery will beacon back from a random high port to the web host which has a forth Flux node installed on it that is bridging port 8080 to port 8080 in the flux tunnel.

Summary:

10/14 - Initial install test completed. Trigger sent and received back from implanted ASR

10/19 - Install/comms through Flux tunnel testing

10/20 - Sucessfully installed EGEarl Grey (Project name) on the target through the 3 Flux nodes appearing to originate from an admin workstation. Also successfully configured Flux/EG so that EGEarl Grey (Project name) would beacon back through an Internet connected Web host to pass the beacon back through the Flux tunnel.

Made new EGEarl Grey (Project name) implant with operational type settings with operator's input: Using 2 Flux nodes for obfuscation and 2 Flux nodes inside the target network for the gateway and return beacon. Successfully able to send SNMPSimple Network Management Protocol trigger appearing to come from admin host and the target successfully beaconing back from a random high port to 8080 on the web host.

Tested survey module with 500 second time duration on XX.XX.X.X (HURRICANE-9[US])/24 subnet

10/21 - Tested various survey options

10/22 - Installed additional Cisco access switch off of Office network segment and created two VMVirtual Machine hosts for this segment to use in testing

10/26 - Various survey testing, now with 800ms latency on flux nodes. Verified that source or dest on survey could only be as large as a /16 subnet. However, if the source and dest are both the host range, that it will survey all websites that the hosts visit due to the logic in the survey results.

Install duration is about one minute, 15 seconds with 2ms delay in lab network

Install duration at 1000ms delay is approximately 25 minutes. If the latency to target is greater than 1000ms, the installation will likely fail.

Install with delay at 1200ms consistantly fails.

Health checks, module commands, and retrieving survey files are all consistantly successful with delay up to 2000ms.

Avoid installing on target if there is a user logged in via telnet on a vty line. Installation may fail if users are occupying the vty lines or done within 30 minutes of an RP failover.

If install does fail with the message: "get prompt failed", wait at least 30 minutes after you're sure no users are actively using console or vty lines as they target is configured to expire these lines after 30 minutes.

Uninstall:

Observables:

Wireshark shows SNMPSimple Network Management Protocol packet with source of flux gateway with dest of XX.XX.X.XX (HURRICANE-9[US]) with C2 comms. The SNMPSimple Network Management Protocol community listed in the packet is "public".

If a trigger is sent to the target IP XX.XX.X.XX (HURRICANE-9[US]) when it is not implanted or the install failed, an SNMPSimple Network Management Protocol trap gets recorded on the SNMPSimple Network Management Protocol server.

Restarted ASRAzure Site Recovery to try again....same result as previous.

dw_checker.py

Using "-i" option in Makefiles to ignore matches from the dirty word checker. Appears that the result of this is that if matches are found compilation will continue along, forcing user to look through make scrollback to see if there were any dirty word hits of concern. They probably did this to get around false positive matches, but the result that it is very likely that legitimate matches will be missed ==> open defect

10/19 - Test install through Flux tunnel

Created IP access list on ASR1006, Ten 0/3/0.4 to block traffic from host X.X.X.XX (LVLT-GOGL-8-8-8[US]) to XX.XX.X.XX (HURRICANE-9[US]). This will ensure that ICON1 cannot directly attack the ASRAzure Site Recovery interface and that the source IP must appear to be coming from the Admin/FLX1 workstation.

Configured two Flux nodes between ICON and the target network and they show in the Flux GUIGraphical User Interface on my ICON box.

Configured Flux on "Web" and "Host1" in target network and they are showing as two spokes in the Flux GUIGraphical User Interface on ICON.

Configured the Flux gateway to be that of Host1(Admin/FLX1) so that source traffic going to ASRAzure Site Recovery will appear to come from this workstation from ICON.

Configured bridge in Flux GUIGraphical User Interface to bridge port 8080 that the beacon will call back on to port 4444 which is configured in the LP_Daemon listener.

Created websurvey.csv file and was able to view it on LibreOffice Calc

Asked User #73303/User #73304 why the results seem to switch the source/destination IP's.... he advised that was the logic requested of them based on how surveys are normally done. He will follow up to confirm how it's supposed to look.

User #73303 called back and advised that the IP with the lower port would be the "source" IP and the IP with the higher port would be the "dest" IP.

10/22 - Installed additional switch; Created two hosts on Office Network, updated seeds scripts on both sides to wget for more web addresses outside the test network and to the inside Web host (Spoke with operator who said he will mostly survey for port 80 traffic to find users to redirect to Windex)

The product of this syntax survey is that information is collected for any source or destination of XX.XX.X.X (HURRICANE-9[US])/16. Therefore, I see collection for any Internet destination going back to internal hosts on the target's internal network. This overall logic seems confusing as a user, but the above synatx will get the desired results.

From .7 seed host, cleared browser cache and went to 100.100.40.3 and was served the 100.100.40.4 page as expected. (As a side note, when trying to browse directly to 100.100.40.4, it would not load while modeule was active)

Once 600 second timer expired, original 100.100.40.3 page was served as expected.

Ran the same survey again for 1200 seconds = upload successful

Tried to upload same redir module while the original was running and the upload failed.

Browsed to 100.100.40.3 from seed host and was served 100.100.40.4 as expected again.

Browse from Seed host on Office network to webhost on ISP (XX.XX.X.XXX (HURRICANE-9[US]))

Unable to get this scenario to work. Tried redir to two other outside servers. Turning rule off allows normal browsing, however. Sent User #73303/User #73304 .pcap of 100.100.40.3 as it was seeing SYNFlag in TCP/IP Protocol packets but not sending anything back. Also sent them text of console messages that were popping up everytime a redir rule was put in place or that it ended.

10/28 - In lieu of situation with the redirection issue, will test Slurp-Slurp bugout

Ran cables for Ixia connections 0-3 on Ixia down to patch panel in Rack 5. Initial engineeering of Ixia connections. Added BGP Customer#1 router to run one line into as well.

November 4-5 Configuration/Setup of Ixia

Ixia testing to try and mimic taget load from most recent config: CPU utilization for five seconds: 2%/1%; one minute: 3%; five minutes: 3%

Was finally able to create an Ixia test profile that came close to these numbers. Since the majority of the traffic is routed at the card level in the test environment and the target environment. Very little traffic CPU usage is used.

== There seems to be some inconsistancy of the uptime for a control processor since now it shows 48 minutes on the 2nd failover back to RP1 and it did not show similar info when switched over to RP2.

What I conclude is that both control processors are "up" for the total time, but if a switchover happens to RP2, then the info procided is indeed true since RP2 has been up in "hot standby" for that amount of time. So, a switchover may occur to RP2 and not realize it by a "sh ver".

Forced switchover back to RP2

Waited till RP1 was back to "standby HOT"

ASR-1006 uptime is 3 days, 6 hours, 28 minutes Uptime for this control processor is 1 hour, 17 minutes System returned to ROMRead-Only Memory by SSOSingle Sign On Switchover at 12:26:33 ESTEastern Standard Time Mon Nov 9 2015

Installed back to RP2 = successful

ASR-1006 uptime is 3 days, 6 hours, 39 minutes Uptime for this control processor is 31 minutes System returned to ROMRead-Only Memory by SSOSingle Sign On Switchover at 13:14:18 ESTEastern Standard Time Mon Nov 9 2015 System restarted at 13:28:17 ESTEastern Standard Time Mon Nov 9 2015

Failed over to RP2, waited for RP1 to come back to "hot standby", was not logged into telnet on the target.... however, the install failed as it had in the past saying that the "get prompt failed".

Gave some time to the target to makde sure all sessions had timed out...exited out of RP2 console.

Waited at least 30 minutes as this is the time-out setting on the console and vty line on target. Tried to reinstall..... same error.

Logged in then out of console at 0850. Unable to log into vty since it's failed over to RP2.

Waited 35 minutes after last install/login attempt and tried to reinstall on target = successfull install and successfull health check

November 13 - Ixia stress test, etc

Have Ixia run traffic to inside web host and set up redirect rule to direct traffic back out of the network... then listen on port 80 of the internal host to make sure it does NOT receive port 80 traffic = success

(With Ixia traffic) Tried to reproduce bug where errors were printing to the console by repeatidly uploading modules and doing health checks. Was unable to make anything print to the console with this method.

Tried to re-create issue where logs print to console.... After 30 minutes of sending modules, force quiting modules, uninstalling, reinstalling, sending more modules, etc... I got the ASRAzure Site Recovery to crash. Once it came back up, I was not installed and had to reinstall. Upon reinstallation, I got similar console messages as before, but only two.

Started full complement of IXIA traffic and ran the previous redir rule successfully

Started a survey during the same IXIA test = successfully collected large survey of IXIA traffic

Since December 1 to December 4

Moved "Internet" link to G0/2/1 from Ten0/1/0... this ended up breaking redirection due to hook points on the interfaces

User #73303 developed a patch for 1.0.3 which was confirmed to fix the issue.... he will roll it into a 1.0.4 version for me to test soon

Updated the opertator who has concerns about having to check interface hook points on target. However, User #73303 did say there was a way to run IOSApple operating system for small devices commands via EGEarl Grey (Project name) to check hook points on actual target interfaces.